Univention Bugzilla – Bug 49941
Disable pam_systemd by default (4.3)
Last modified: 2019-07-31 14:25:39 CEST
+++ This bug was initially created as a clone of Bug #49910 +++ With Bug #47233 we enabled pam_systemd to terminate ssh sessions when the server reboots or is shut down. Unfortunately this has two negative side effects: - for each user a `systemd --user` is started, which remains even after exit. On servers (running Samba) this leads to many extra processes consuming valuable system resources like RAM and already lead to processes being killed by OOM. - for each session the modules creates a new CGroup, which "leaks" memory in the Linux kernel (Bug #49614): In-kernel memory structures are still associated with the CGroup even after all processes have terminated, which prevents the CGroup from being freed finally. 1. Disable the PAM module by default 2. Add a new UCR variable to enable it on demand.
[4.3-4] 2d2d854ac3 Bug #49910 pam: Disable pam_systemd by default .../conffiles/etc/pam.d/common-session.d/10univention-pam_common | 2 +- base/univention-pam/debian/changelog | 6 ++++++ .../univention-pam/debian/univention-pam.univention-config-registry | 1 + .../debian/univention-pam.univention-config-registry-variables | 6 ++++++ 4 files changed, 14 insertions(+), 1 deletion(-) Package: univention-pam Version: 11.0.1-6A~4.3.0.201907310938 Branch: ucs_4.3-0 Scope: errata4.3-4 QA: apt install univention-pam=11.0.1-6A~4.3.0.201907310938 grep --color pam_systemd /etc/pam.d/common-session ucr set pam/session/systemd=1 grep --color pam_systemd /etc/pam.d/common-session ucr set pam/session/systemd=0 grep --color pam_systemd /etc/pam.d/common-session ucr unset pam/session/systemd grep --color pam_systemd /etc/pam.d/common-session [4.3-4] 0e4c3e1da1 Bug #49941: univention-pam 11.0.1-6A~4.3.0.201907310938 doc/errata/staging/univention-pam.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+)
Verified: * Patch backport * Package update * Functional test * Advisory
<http://errata.software-univention.de/ucs/4.3/555.html>